Configuring the Proxy Server to Handle Client Authentication with Digital Certificates
The certificate mapping file determines how a server should look up a user entry in the LDAP directory. You edit this file and add entries to match the organization of your LDAP directory and to list the certificates you want your users to have. This is achieved with the certmap.conf file. This file, located at server_root/userdb, can be edited and entries added to match the organization of your LDAP directory and to list the certificates you want your users to have.
Specifically, the mapping file defines:
Where in the LDAP tree the server should begin its search
Which certificate attributes the server should use as search criteria when searching for the entry in the LDAP directory
Whether the server goes through an additional verification process
The following example configures the certmap.conf file so the Proxy Server can begin its search in the LDAP tree.
Modify the cert.map.conf file.
To enable the feature, modify the magnus.conf file.
The magnus.conf file is located in server/root/proxy-<\instance/config. A variable with two possible values (ON/OFF) has been added. This feature is disabled (OFF) by default. Use the following syntax:
Refer to the notes in the file for references to the proper configuration.
To Restrict Access
Open a browser and go to http://myproxy.sun.com:81.
Select the Secure-Reverse Proxy instance.
Click the Restrict Access link in the menu.
Select Entire Server from the drop-down box.
Turn access control off or on for the entire server by clicking either Turn off access control or Turn on access control.
Specify which users are the exceptions to the default access for each access type by clicking the appropriate Permissions button.
Click the Permissions button for Read access.
Supply the appropriate information:
Click OK in the main restrict access window.
Click Save and Apply.
Verify Reverse Proxy configuration via SSL authentication using client certificates.
Open a browser and access the proxy server. In this example, enter:
You will be prompted for a user ID and password. Enter the user ID proxyadmin and the password selected during the installation (for example, sun1ProxySvr).
Turning on access control causes more access control settings to appear on your screen.
For both Read and Write access, set the default access to Allow or Deny.
Read access allows a user only to view the file. Write access allows the user to change or delete the file, assuming the user also has access to the file through your server computer's operating system. (Technically, Read includes these HTTP methods: GET, HEAD, POST, and INDEX. Write includes PUT, DELETE, MKDIR, RMDIR, and MOVE.)
For this example, the permissions are set to Deny for both Read and Write access.
Users: proxyadmin Authentication Method: Client certificate (SSL)
Leave all other options set to the default values.
This will ensure that the changes are recognized by the Proxy Server and restart the proxy instance to ensure that the changes take effect immediately.
The proxy will request a client certificate from the browser. Provide the certificate that you requested from the certificate server that contains the UID used in the example and the proxy will allow access to the resource.
For other aspects of security tuning for the Sun ONE Proxy Server such as setting banners, caching size/configuration, denial of service (DoS) considerations and so forth, refer to "Increase Server Security" section in the Sun ONE Web Proxy Server 3.6 SP3 Administrator's Guide.